By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

minimum standards that developers should meet before writing code.

The Secure Programming Council, as the group is called, is releasing its first standards document today, focused on Java and J2EE development. The document is designed to serve as a set of essential skills for Java developers, instructing them in the safest ways to write applications and avoid common errors that lead to security vulnerabilities.

Five hidden tactics for secure programming: Discover the five fundamental steps of secure code development to help you cost-effectively – and efficiently – address the root cause of the biggest security exposures.

The document, "Essential Skills for Secure Programming Using Java/J2EE," will be available for public comment for 60 days. The council will then incorporate suggestions and release a final version.

The group also will produce standardized exams to test developers' skills against the standards. The tests will be administered in both the U.S. and abroad, beginning in London on Dec. 5, the council said. The group also is working on similar standards for Perl, PHP, .Net, C and C++ programmers.

The new council is just one of a handful of recent efforts to improve the quality and security of code that developers are turning out. The SANS Institute earlier this year started the Software Security Institute, a similar program involving education, skills assessment and testing. And Microsoft Corp., Symantec Corp., and other large software vendors recently began another group called SAFECode, focused on educating developers.

The Secure Programming Council comprises representatives from more than 40 organizations, and the committee that put together the Java documents includes Java security experts from Booz Allen & Hamilton, Ounce Labs, Deloitte and Touche and Kaiser Permanente, among others. Application Security vendors, such as Fortify and Neohapsis also are involved.

The minimum skills that the Java document lays out cover a broad range of topics, including data handling, authentication and session management, access control and encryption services.

During a press conference Tuesday afternoon, SANS Institute Research Director Allan Paller said having well-defined standards like this will give employers a way to measure if the people writing code for them are prepared with the neccesary skills and security know-how.

As for what was announced Tuesday, Paller said, "This is the first standard you need to know if you're going to write secure code for Java. There will be other standards but this is the first because Java is what most applications are written in and applications are what the attackers are targeting most right now."

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy